The U.S. Supreme Court recently heard oral arguments in U.S. v. Microsoft, tackling the question of whether an organization can refuse to disclose foreign-stored data sought by the U.S. government through domestic warrants. Currently, the Second Circuit says yes while other circuits tend to say no.

While several district courts have concluded that it is not an extraterritorial seizure to enforce warrants that require organizations to produce U.S. users’ account data stored in foreign servers, these decisions conflict with precedent from the Second Circuit Court of Appeals. The Second Circuit held that Microsoft could not be compelled to comply with a warrant if it meant producing foreign-stored data for use in a domestic case. Elsewhere in the United States, judges have rejected the Second Circuit’s decision, ordering the production of foreign-stored data pursuant to domestic warrants. These decisions follow the reasoning that a court can order the production of anything that can be accessed and delivered within the United States. Accordingly, no relevant extraterritoriality concerns are implicated despite the storage of data in a foreign location. Outside of the Second Circuit, it is clear that courts are focusing on where the access to and disclosure of the stored data occurs (domestically) rather than the location of the data (internationally). Conversely, the Second Circuit’s Microsoft decision focuses on the seizure of the data from a foreign location, which is where it locates the privacy violations and applies its extraterritoriality analysis.

Legislation could fix the differing interpretations, but despite near universal agreement that the Electronic Communications Privacy Act of 1986 needs to be updated and the repeated introduction of new legislation, Congress has been slow to act. Thus, both parties urged the Supreme Court to clarify the law during oral arguments in U.S. v. Microsoft, which focused on whether the search, retrieval, and disclosure of foreign-stored data constituted an extraterritorial act, and if so, how the law should apply.

The Second Circuit and Microsoft

The Second Circuit’s decision in July 2016 held that Microsoft could not be forced to turn over emails stored on a server in Dublin, Ireland, for use in a domestic case.  This decision in In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation (“Microsoft Decision”) reversed an April 2014 Southern District of New York ruling denying Microsoft’s motion to quash a warrant issued under the Stored Communications Act (“SCA”) directing Microsoft to disclose records within its control pertaining to a specific email account.  That court had determined that “an entity lawfully obligated to produce information” in its control “must do so regardless of the location of that information.” The Second Circuit disagreed and concluded that the relevant focus of the SCA warrant provisions is on maintaining the privacy of users’ stored communications, meaning that foreign-stored communications should not be disclosed, because “the invasion of the customer’s privacy takes place” where the protected data is stored. In the Second Circuit’s opinion, this means that Microsoft would be forced to perform a foreign seizure of the communications in question while “acting as an agent of the government.”

The concurring opinion highlighted the potential slippery slope underpinning the logic of the dissenter’s position concerning the location of the disclosure as dispositive.  Specifically, Judge Lynch expressed concern that, under the dissenter’s logic, the door could be open for an SCA warrant to obtain content stored in Ireland in an account established in Ireland by an Irish citizen in violation of Irish law merely because the service provider has a branch office in the United States with access to the account.

Although Judge Lynch disagreed with the “majority’s determination that the locus of the invasion of privacy is where the private content is stored,” calling that determination “suspect when the content consists of emails stored in the ‘cloud,’” he indicated that it was “at least equally persuasive that the invasion of privacy occurs where the person whose privacy is invaded customarily resides.”  Despite this distinction, Judge Lynch concluded that the panel majority had reached the correct result because he felt that Congress had not “demonstrated a clear intention to reach situations of this kind in enacting” the SCA, especially “in the case (which could well be this one) of records stored at the behest of a foreign national on servers in his own country.”

In January 2017, the Second Circuit denied rehearing of the Microsoft case in an evenly divided decision (“Microsoft II”).  Three judges recused themselves and four judges separately dissented from the rehearing denial.  Notably, the dissenting judges believed that the conduct that is the subject of the warrant was the provider’s disclosure of emails and not their access to customer data, and the disclosure to the DOJ would necessarily take place in the United States.  Further, the dissenting judges argued that “no extraterritorial reach is needed to require delivery in the United States of the information sought,” because the warrant asked for data “already within the grasps of a domestic entity.”  The dissent also acknowledged a theme that was present in the Second Circuit’s 2016 opinion: the difficulty of applying a statute passed in 1986 to present technology.

The Rest of the United States

In analogous cases throughout the country—including the Eastern District of Pennsylvania, the Eastern District of Wisconsin, the Middle District of Florida, the Northern District of California, and the D.C. District Court—magistrate judges have rejected the Second Circuit’s decision in Microsoft and ordered organizations to produce foreign-stored data pursuant to SCA warrants.  These decisions adhere to the principle that a court can order any organization that is subject to the court’s jurisdiction to disclose anything it can access and deliver within the United States. Following this reasoning, no relevant extraterritoriality concerns are implicated by the foreign storage of user data.

In February 2017, U.S. Magistrate Judge Thomas Rueter in Philadelphia ordered Google Inc. (“Google”) to comply with search warrants and transfer email from a foreign server to be reviewed locally, because there was “no meaningful interference” with the account holder’s “possessor interest” in the data sought.  Judge Reuter reasoned that for the purposes of the warrant, the seizure of the information occurs where the search is conducted, and the “actual infringement of privacy occurs at the time of disclosure”; both in the United States.  U.S. District Judge Juan Sánchez upheld Judge Reuter’s ruling in August 2017.  In his analysis, “the location of the provider and where it will disclose the data [is what] matter[s] in the extraterritoriality analysis.”  Citing one of the dissents from Microsoft II, Sánchez distinguished “[t]he nature of electronic documents. Unlike paper documents, which have a tangible physical existence and location,” electronic documents are “literally intangible” making their location on a foreign server “merely virtual.”  This virtual presence is particularly relevant in regard to Google because, for network efficiency purposes, the company splits digital data into shards and relocates these pieces according to an algorithm between servers located around the globe in contrast to Microsoft, which stores data in fixed locations according to user proximity.

Also in February 2017, Magistrate Judge William E. Duffin in the Eastern District of Wisconsin ordered Yahoo! Inc. (“Yahoo”) and Google to comply with search warrants.  Citing the “persuasive” “analysis of the four judges dissenting” from Microsoft II, Judge Duffin determined that the service provider’s chosen storage location for customer data “is immaterial,” and that “what matters is the location of the service provider” in the U.S., because that is where the data is accessed and turned over to the government.

In April 2017, Magistrate Judge Thomas B. Smith in the Middle District of Florida held that the SCA could be used to compel Yahoo to produce foreign-stored information.  Disagreeing with the Microsoft Decision, the judge said that the focus of the SCA is not on the privacy interests in stored communications but rather on the compelled disclosure. Because the compelled disclosure takes place in the United States, Yahoo must produce information pursuant to the SCA warrant even if that information is stored on a foreign server.

Also in April 2017, Magistrate Judge Laurel Beeler in the Northern District of California ordered Google to comply with a search warrant issued pursuant to the SCA for data “regardless of the data’s actual location.”  In her opinion, Judge Beeler accepted that SCA warrant provisions do not apply extraterritorially but concluded that warrants in this case should be viewed as “a domestic application of the SCA” rather than an extraterritorial one.  In August 2017, her opinion was reviewed de novo and affirmed, with U.S. District Court Judge Richard Seeborg ordering Google to produce “all content responsive to the search warrant that is accessible, searchable, and retrievable from the United States pursuant to the terms of the warrant” (emphasis added).  Currently, Google is refusing to produce materials stored abroad, despite federal prosecutors’ calls for sanctions, and is seeking an appeal, pending the Supreme Court’s decision in Microsoft.

In June 2017, Magistrate Judge G. Michael Harvey in the District of Columbia directed Google to comply with a warrant issued under the SCA for contents of a particular Google account.  Based on an interpretation of the SCA that emphasizes disclosure over privacy and access over seizure, and considering the contents of Google’s user agreement, the court held that Google is not seizing data. Rather, it already has access.  Google users have no capacity to control the storage location of their data, because they agree to allow Google to access and transfer their data at will when registering for an account.  That is, the data sought by the SCA warrant is already in Google’s possession, custody, and control, and Google can access it without further authorization.  U.S. District Court Judge Beryl A. Howell affirmed this ruling in July 2017.

Recently Proposed Legislative Solutions

At the end of May 2017, law enforcement access to data stored abroad was the subject of a Senate Judiciary Committee, Subcommittee on Crime and Terrorism hearing, which was in part another reconsideration of how to update the Electronic Communications Privacy Act of 1986 (ECPA), which created the SCA.  While it is acknowledged by members of Congress on both sides of the aisle that ECPA is seriously out of date, proposals to update it have generally failed.  In July 2017, S. 1671, the International Communications Privacy Act, was referred to the Senate Judiciary Committee. It aimed to clarify the SCA’s warrant requirement as it pertains to “global electronic communications while respecting the data privacy laws of other countries” and had broad support from technology companies and industry groups. The House of Representatives held a corresponding hearing on the lawful access to and privacy protection of data stored abroad in June 2017, during which the Department of Justice in light of Microsoft II urged Congress reform the law.

More recently, Congress introduced the bipartisan Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, which would make the argument at issue in Microsoft moot. In part, the CLOUD Act makes all data in the “possession, custody, or control” of the provider attainable under the SCA, regardless of where the data is physically stored. “Possession, custody, or control” of course has its own Circuit Court variances in definition, which could still create issues in applying the law uniformly. Several tech companies, including Apple, Facebook, Google, and Microsoft, authored a letter to the Senators who sponsored the CLOUD Act, stating that “if enacted, the CLOUD Act would be notable progress to protect consumers’ rights and would reduce conflicts of law.” The letter further comments that the CLOUD Act is a “logical solution for governing cross-border access to data.” Privacy groups disagree, seeing the legislation as a “dangerous expansion” of “law enforcement’s ability to target and access people’s data across international borders” and saying it does not adequately protect the privacy of cloud storage.

Parsing the Current Landscape

Initially, the factual distinction between Microsoft’s and Google’s cloud storage solutions seemed to account for the differing outcomes in the Microsoft Decision and the subsequent Eastern District of Pennsylvania case involving Google.  Google breaks up emails, and freely and regularly transfers user data from one data center around the globe to another without the customer’s knowledge.  Not only do such transfers not interfere with the customer’s access or possessory interest in the user data, but this also means that data does not reside primarily in a single, identifiable foreign location.  Microsoft, on the other hand, does not freely transfer its data, but allocates its storage based on proximity to a location selected by the user during account registration, meaning that the Second Circuit could more easily determine that specific data resided primarily in a fixed jurisdictional location.  If Google’s data lacks an alternate, identifiable jurisdictional location, no other foreign discovery options are readily available.

However, the subsequent opinions make it clear that the courts are focusing on the locations of the access to and disclosure of the stored data, which occur in the United States, rather than the location of the data itself.  Conversely, the Microsoft Decision focused on the seizure of the data from a foreign location, which is where it locates the privacy violations and applies its extraterritoriality analysis.

Clearly, all of these cases are criminal ones.  Civil litigants, however, may note the passing references in some opinions to possession, custody, or control, which seem to be the key to understanding how a court may analyze similar civil cases. For example, in the initial court order granting the warrants overturned in the Microsoft Decision, Magistrate Judge James C. Francis IV, determined that the SCA’s warrant provisions were substantially similar to “those associated with a subpoena to produce information in [an organization’s] possession, custody, or control regardless of the location of that information.” The Second Circuit interprets possession, custody, or control broadly, requiring parties in civil litigation to preserve, collect, search, and produce all documents a party has the practical ability to obtain.

Producing foreign-stored documents whether compelled by a subpoena or a warrant may implicate the privacy laws of other countries, which can have their own consequences.  For example, under the European Union’s General Data Protection Regulation (GDPR), which comes into effect in May 2018, simply complying with a U.S. search warrant may be unlawful without additional steps. Brad Smith, Chief Legal Officer of Microsoft, testified that “U.S. law enforcement will be significantly restricted in its ability to obtain digital information covered by the GDPR unless it issues demands through international processes, instead of using unilateral, U.S.-based warrants.”

Developments at the Supreme Court Level

On June 23, 2017, the Department of Justice filed a petition for a writ of certiorari, asking the United States Supreme Court to overturn the Microsoft II decision blocking the warrant.  In its petition, the Department of Justice argues that the SCA’s requirement to disclose information is a domestic application, not an extraterritorial one, and that the Second Circuit’s decision conflicts with “unanimous holdings of courts that a domestic recipient of a subpoena is required to produce specified materials within the recipient’s control, even if the recipient stores the materials abroad.”  Microsoft argues in opposition that the focus of the SCA is properly on “communications in storage” and that it “applies where the communications are stored.” Because the statute does not apply abroad, a point both parties agree on, “the SCA reaches only communications stored in the United States.” The Supreme Court granted the petition on October 16, 2017.  This high-profile case has garnered attention from many interested parties, resulting in the filing of over 30 amicus briefs by organizations ranging from The New Zealand Privacy Commissioner and the European Commission on Behalf of the European Union to Members of Congress and IBM.

The Supreme Court heard argument on February 27, 2018, bringing us one step closer to a ruling that could give cloud storage providers and domestic users of their services much anticipated guidance as to how far the U.S. government can reach into their digital private lives. As the Second Circuit acknowledged, the Supreme Court is grappling with the application of “decades-old law to modern technology.” The oral argument focused on the disclosure (which would happen in the United States) and search (of data currently stored in Ireland) aspects of the SCA. Justices Ginsberg and Gorsuch honed in on the physical characteristics of data storage abroad, which means that some act has to take place in a foreign location for the data to be retrieved. Microsoft argued that retrieving and disclosing the data constitutes an “extraterritorial act,” even if a human being is not involved: “if you sent a robot into a foreign land to seize evidence, it would certainly implicate foreign interests.” In opposition, the government stated that such a disclosure would be analogous to a federal court requiring a defendant to access foreign assets to pay a fine. Justice Roberts seemed skeptical of Microsoft’s claims, stating that it is “not the government’s fault that [the data is] located overseas” and suggesting that storing data overseas could be a way for providers to attract customers interested in keeping their data out of the government’s grasp. Justice Alito seemed to share Justice Roberts’ concerns. Conversely, Justice Sotomayor noted the potential to create “international problems” by expanding the SCA’s extraterritorial reach. The government countered that “there is not an international problem here. This is largely a mirage that Microsoft is seeking to create.” Justice Breyer attempted to find a compromise, suggesting that when faced with a government warrant, companies could ask a judge whether the warrant was enforceable in light of competing foreign law concerns. Other Justices inquired as to the government’s ability to obtain said data outside of the SCA, for example through multi-lateral treaties (MLATs); concerns about foreign sovereignty; and whether they should wait for the CLOUD Act to be enacted. Justices Ginsburg and Sotomayor both appeared to believe that legislation rather than the Supreme Court should resolve the issue. Both parties asked the Supreme Court to decide upon the law as it currently stands without waiting for Congress to act. The Supreme Court’s decision is anticipated before the end of June 2018, assuming Congress does not pass legislation to resolve the issue in the meantime.